SBOM Grader
Project description
SBOM Grader
This project grades SBOMs according to Red Hat Product Security Guide to SBOMs.
Currently the script only fully supports SPDX v2.3 in json format. CycloneDX is partially supported in version v1.5 for Product SBOMs.
Installation
pip install sbomgrader
Quick start
To show the command line options, run the following command:
sbomgrader --help
This script uses both STDOUT and STDERR. STDOUT receives the output of the grading, while STDERR reports anything causing troubles to the command execution unrelated to the SBOM file.
Usage options
If you only specify the SBOM document, the script will try to estimate the SBOM type and apply all time-related cookbooks for that type (e.g. if it finds that an SBOM is for an RPM, it will run both rpm build and rpm release cookbooks). The release-time cookbook will take precedence in establishing the final grade.
To specify the cookbook to be used, use -c option. This option must be a reference
to an .y[a]ml file in the filesystem.
To specify SBOM type, the tool lets you specify SBOM type -tp and SBOM time -tm.
SBOM type ise either product, image, image_index, rpm or generic. Generic type
only checks the common features of other types, the other types are described [here]
(https://redhatproductsecurity.github.io/security-data-guidelines/sbom/). The SBOM times
are also explained in the article linked. You can select values build or release.
The default passing grade is B. This can be changed with the argument -g and the target value.
The script outputs data in three possible formats. The default one in Markdown,
you can also select json or yaml.
Architecture
This project uses terms like Rules, RuleSets, Cookbooks and CookbookBundles. These are all representations of a test suite to run against an SBOM file.
CookbookBundles are composed of Cookbooks which reference RuleSets which are made of Rules.
Rules are specific tests to be run, RuleSets are suites of Rules.
Cookbook defines which force has to be applied on each rule for each SBOM type. You are completely free to create your own cookbook if the provided ones don't suit your needs. CookbookBundles are only aggregation of Cookbooks which ensures no test has to be run more than once on any document.
For details about Cookbooks, refer to the cookbooks/README.md file.
For details about RuleSets, refer to the rulesets/README.md file.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sbomgrader-0.1.1.tar.gz.
File metadata
- Download URL: sbomgrader-0.1.1.tar.gz
- Upload date:
- Size: 48.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.1 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1a5b7c7dc9c031caa91d1a32bdfb7a1182e92fd4e48492bbc1c3674e71f53a51
|
|
| MD5 |
b4f1ed4cb671a0f5f973824efb39f6a8
|
|
| BLAKE2b-256 |
eb05fcfbae6f30e53b7ac749c3ad9bccd2289bcbedda0453c24a3cc076461e96
|
Provenance
The following attestation bundles were made for sbomgrader-0.1.1.tar.gz:
Publisher:
release-pypi.yml on BorekZnovustvoritel/SBOM-Grader
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sbomgrader-0.1.1.tar.gz -
Subject digest:
1a5b7c7dc9c031caa91d1a32bdfb7a1182e92fd4e48492bbc1c3674e71f53a51 - Sigstore transparency entry: 152197696
- Sigstore integration time:
-
Permalink:
BorekZnovustvoritel/SBOM-Grader@0064d50ce27e7fba90468e7b452aac2040cd515d -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/BorekZnovustvoritel
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-pypi.yml@0064d50ce27e7fba90468e7b452aac2040cd515d -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file sbomgrader-0.1.1-py3-none-any.whl.
File metadata
- Download URL: sbomgrader-0.1.1-py3-none-any.whl
- Upload date:
- Size: 30.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.1 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b386fa41d8718d7ad199e0d7e6d79bee0ed078923040a1300e10e4b4b38ad5e
|
|
| MD5 |
73b01f19b30b1b16cf88fc4dc6cdc79a
|
|
| BLAKE2b-256 |
e499e00ed0590d3c1caead0be7eaf820e5dad7a1aedcf938aab52c0ece63d92c
|
Provenance
The following attestation bundles were made for sbomgrader-0.1.1-py3-none-any.whl:
Publisher:
release-pypi.yml on BorekZnovustvoritel/SBOM-Grader
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sbomgrader-0.1.1-py3-none-any.whl -
Subject digest:
4b386fa41d8718d7ad199e0d7e6d79bee0ed078923040a1300e10e4b4b38ad5e - Sigstore transparency entry: 152197697
- Sigstore integration time:
-
Permalink:
BorekZnovustvoritel/SBOM-Grader@0064d50ce27e7fba90468e7b452aac2040cd515d -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/BorekZnovustvoritel
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release-pypi.yml@0064d50ce27e7fba90468e7b452aac2040cd515d -
Trigger Event:
workflow_dispatch
-
Statement type:
